I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.

That assumption has today been blown completely out of the water amid revelations that Canada’s top electronic surveillance agency has been spying on millions of downloads from more than 100 file-sharing sites.

On May 13, after creating a customized version of Tails for Greenwald, I hopped on my bike and pedaled to the FedEx office on Shattuck Avenue in Berkeley, where I slipped the Tails thumb drive into a shipping package, filled out a customs form that asked about the contents (“Flash Drive Gift,” I wrote), and sent it to Greenwald in Brazil. He received the package two weeks later, it having been delayed in transit, for what I believed to be bureaucratic rather than nefarious reasons, and the blue thumb drive actually made a cameo appearance in “Citizenfour.” For a technologist, this was a dream come true.

With Apple Pay, no credit card data — even in encrypted form — is ever stored on the iPhone or on Apple’s servers. Similarly, no credit card data is ever transmitted to or stored on a merchant’s servers.

When a user first signs up for Apple Pay, either via an existing iTunes credit card or by loading a new one onto the iPhone, the card information is immediately encrypted and securely sent to the appropriate credit card network. Upon determining that the credit card account is valid, a token is sent back down to the device whereupon it’s safely stored within the iPhone’s Secure Element.

Well, this isn’t good. Akamai security researcher Stephane Chazelas has discovered a devastating flaw in the Unix Bash shell, leaving Linux machines, OS X machines, routers, older IoT devices, and more vulnerable to attack. “Shellshock,” as it’s been dubbed, allows attackers to run deep-level shell commands on your machine after exploiting the flaw, but the true danger here lies in just how old Shell Shock is—this vulnerability has apparently been lurking in the Bash shell for years.

Apparently the encryption malware Bitcrypt has been broken. Here’s a fascinating look at the analysis required to figure out the virus and reverse engineer it.

With such factors, we could build a Python script implementing all the cryptographic operations to decipher the encrypted files, and save the precious pictures. Such a Python script is available on our bitbucket repository.

Like all Americans (and every human being for that matter), I want to be safe. But I can’t help but question the efficacy of our national security policy, including the practice of detaining U.S. citizens because something (never specifically explained) about a name or person’s identity is said to match that of someone somewhere in the world who is deemed to pose a threat to America. How close is the match? What aspects of one’s “profile” are searched for a match? None of that is ever explained.

Read the whole piece… Ahmed is very aware of the “safety” of screening and all that crap, but come on, WTF guys. Why can’t you just say “we’re going to discriminate against brown people because they’re brown… oh, and anyone with a funny terrorist name” and have it out in the open, instead of pretending that they were randomly selected, or a profile match, or whatever excuse that isn’t “you look like the people who attacked the US on 9/11 so we’re going to fuck with you”.

Suddenly had extra ads, popups, and new search results show up and your virus and spyware scanner reports everything as a-ok? It might be to do with the report from Ars on Adware vendors buying Chrome Extensions and updating them with spyware. Because Chrome extensions update silently, and are out of the scope of spyware and virus scanners, it’s a great new vector to use for scammers and advertisers. Other things:

Chrome extensions are fairly easy to make, so being offered a few thousand for a couple of hours work that it took to make an extension is a good deal if you’re not clear on what the new owner will do with it.

Many extensions ask for full access to all your browsing (normally by necessity), making them an attractive target for purchase.

Something to be aware of. If google was smart they’d either add in some sort of spyware checking, or add a notification to the user on either extension ownership change, or a more obvious changelog.

Sorry, RSA, I’m just not buying it is the title of the latest blog from Kevin Mitnick, noted security expert. If you haven’t kept up, revelations came to light lately that security company RSA took $10 million from the NSA to deliberately weaken / backdoor their RSA cryptography, and RSA denied it, kinda. Mitnick basically says “nope”, but in a much more elegant way.

Via the Wall Street Journal, an Apple spokesperson fleshes out some of the finer details surrounding the fingerprint sensor and Touch ID. To use Touch ID, it is mandatory to also set up a passcode. This acts as a fallback in case the fingerprint sensor fails temporarily or experiences a permanent hardware fault. iOS may necessitate a passcode under some other conditions, as well.

Assuming that you believe them, and don’t think they’re a front for the NSA to get everyone’s fingerprints as well as location, contacts, etc (the iPhone does seem to be the phone of choice for terrorists), this is good news.

The “Back up my data” option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.

Ignoring the implications of google knowing yet another bit of information about us, or the tinfoil hats when you combine this information with the previous scandal with them capturing and saving encrypted wifi data from the street view cars, where are the pitchforks? If Apple did this, there’d be a class action lawsuit already (even if the story was completely different, it’d be filed purely on the headline).

Ilja van Sprundel, a security researcher with IOActive, has discovered a large number of issues in the way various X client libraries handle the responses they receive from servers, and has worked with X.Org’s security team to analyze, confirm, and fix these issues.

Fixes are underway already, and it sounds like (to someone not hugely versed in deep x.org code) the issues aren’t going to affect the normal linux user running behind a firewall, but if you run unchecked code from untrusted sources locally (or allow other users to connect to the X.org port remotely), be careful. Keep up to date with updates and make sure your system is patched over the next week or two.

BitTorrent Inc. has opened up its Sync app to the public today. The new application is free of charge and allows people to securely sync folders to multiple devices using the BitTorrent protocol. Complete control over the storage location of the files and the absence of limits is what sets BitTorrent’s solution apart from traditional cloud based synchronization services.

Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.

We believe that being offered our virtual asylum in Korea is a first step of this country’s changing view of access to information. It’s a country opening up and one thing is sure, they do not care about threats like others do. In that way, TPB and Korea might have a special bond. We will do our best to influence the Korean leaders to also let their own population use our service, and to make sure that we can help improve the situation in any way we can. When someone is reaching out to make things better, it’s also ones duty to grab their hand.

In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.

But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.

I knew about having to opt out of the toolbar crapware, but some stuff in there I am amazed that they get away with.

Short version: there’s almost no reason to use Java, so don’t install it. Ever.

First, the letter was anonymous. You, and you alone, determined whether you identified yourself as sender on the outside of the envelope for the world to know, on the inside of the letter for only the recipient to know, or didn’t identify yourself at all when sending a letter. This was your prerogative.

In the article Outlawed by Amazon DRM, probably the worst of all cases of DRM is exposed. This is the sort of thing that gets your Open Source friends will use as a prime example of why DRM is bad, and quite frankly, they’re right.

The short version is a friend of the author had her Kindle wiped and her Amazon account closed with no explanation and no recourse. Talking to Amazon was like talking to a brick wall in terms of either a) getting it reversed or b) figuring out why.

Hows this for starting the news cyle for the new school year with a bang? Ok, so what seems like has happened. FBI has a huge list of Apple iPhone UDID (unique phone identifiers) along with names, device types, and other personal identifiable information. FBI has this on a laptop. Hacker hacks into laptop and retrieves said information. Anonymous then leaks this information to the web.

During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java, during the shell session some files
were downloaded from his Desktop folder one of them with the name of
“NCFTAiOSdevices_intel.csv” turned to be a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc. the personal details fields referring to people
appears many times empty leaving the whole list incompleted on many parts. no
other file on the same folder makes mention about this list or its purpose.

Obviously a few questions come up. Why does the FBI have this information? Where did it come from? What (if any) connection does Apple have? Is it legit? Does this mean that the FBI is actively tracking users, or just gathering device information? Are these American citizens, non-Americans, or maybe just racially profiled iPhone users?

So if you're worried about Dropbox not being as private as you were led to believe, you might want to check out SecretSync - Client-side encryption for Dropbox. Basically it creates a folder that will be encrypted on the client side before it's synced up to dropbox, and only accessible to you. Windows only, but mac and linux clients coming soon.

Note: I have no idea if this has been tested or verified by anyone, for all I know installing this program could sell your secrets to the Russians and talk to your mother dirty. Just sayin'. Thanks Bryan for the link.

Not sure how old this is, but check out the Creepy app. It will scrub the internet for location data for a given twitter or flickr ID and display it all in a nice map for you. Good reason to start removing those geotags from your images and social network data. Think about this as doing for location data what Firesheep did for https security.

Marco.org warns of The Asian domain-name extortion scam. Pretty similar to a bunch of similar scams, and now you've been warned (assuming the email doesn't get caught up in your spam filter of course :)

Must plug my good buddy Dana and his company Scorpion Software's premier episode of a podcast called "Five by 5".

I am pleased to announce that we are launching a new webisodic series called "Five by 5" to do just that. It will be a weekly to bi-weekly web based show covering the tips, tricks and tactics to use when considering how to secure remote access to information.

Sneaky, that - trying to get you to install McAfee Security Scan Plus when all you actually want is an update of Flash.

I can understand if you're a small company trying to get a bit of extra revenue from installing crapware like the Ask toolbar, etc, but Adobe seems a bit big to do this sort of thing. The only justification I can see is that they are truly concerned about user's security and feel they aren't going to listen to a "hey, you know you should have an AV program installed" type message, and figure it's better to just shove AV software down their throats. I pity the IT workers that are going to have to deal with uninstalling this or dealing with conflicts or other really bad things resulting from users randomly installing things on their computers.

ReclaimPrivacy.org is a Facebook Privacy Scanner which will scan your facebook settings for you and show you any issues with it, and give a one-click fix to fix them.

With the backlash against Facebook lately, this is a great looking tool that works nicely. The only complaint I have is that it will just fix the issues with one click, without actually telling you exactly what it's doing, in case you were wanting to keep it that way, or tweak it. Still, perfect for your mother/sister/kids/grandmother who you don't want to accidentally share out a bit too much!

I didn't really get what the big deal was about at first, but after reading through the Are Like Buttons Evil?, I'm getting it a bit more. I can forgive Facebook for a lot of their sins, but defaulting a privacy policy in which other "affiliate" (read: advertisers) to open is fairly evil. The article goes more into how this isn't "open" (ie: the "like" button only goes back to facebook, not to digg/reddit/etc), but for me I'm more concerned about the security implications for people having to deal with the settings they don't understand.

To turn this off, log into facebook and then:

Go to Account

Go to Privacy Settings

Click Applications and Websites

Click Instant Personalization (great description eh?)

Finally you can decide to uncheck the "Allow select partners to instantly personalize their features with my public information when I first arrive on their websites." button

5 Steps through pretty nonspecificly named menus, to get to an option that a) gives your details to advertisers and b) defaults to on... sorry Facebook, but that's pretty evil. Of course, they know if they default it to 'off' no one would ever turn it on, so they wouldn't make their next bazillion dollars from our personal information to other big companies.

Not that I'd advocate this of course, but the Crash jQuery Plugin is there to use if you need to for some reason.

Seriously though, crashing someone's browser isn't cool, cause lets be honest, the people that are still running ie6 are either a) people like your grandmother who doesn't know any better, or b) people have have to because they work with some sort of antiquated company or software that requires it.

Course, these people aren't going to be surfing to sites that will have jQuery enabled anyway....

Look like there is a bug in Spamassassin in the check for "dates grossly in the future" which defines among other things, 2010 as "grossly in the future". The details are here. I've updated the ruleset on UFies.org though, but please check your spam boxes if you use SA for your spam checking.

Found out on TWIT this week that Audible.com is having a thanksgiving giveaway of a free audiobook (no credit card required, but an account is needed) and the selection is pretty good, not just crap ones. Hey, free is free!

Being that the New jailbroken iPhone worm is malicious, it's another reminder to people who have jailbroken phones that if you can ssh into the phone with username root and password of 'alpine', you really want to change the password, cause everyone knows what it is already.

Davey Winder says that 80 percent of viruses love Windows 7, and that a Windows 7 machine without AV software on it gobbled up viruses like a fat kid gobbles up candy on Halloween. Now this was a bit of an unfair test, not installing AV software, but still, the "we're making Windows more secure" mantra has been going at MS for a while now, you'd think that this would be better.

On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Please be aware that a) it has nothing to do with UFies and is just a well crafted spam trying to get you to run some random .exe. Don't click it and if there is ever a question, please contact me directly. Also the chances of a server update requiring you to run a .exe on your computer are 0.0%.

Another Lifehacker note is that AVG 9 Free Now Ready for Download. Though for the first time in years I'm not using AVG and am testing the new Microsoft suite. No word if this AVG release removes some of the annoying "you know you want the non-free version... come on...." popups when using the app.

I haven't seen much confirmation of this, but I'd be a hypocrite if I didn't point to a story where <screaming alarm voice>a Major bug in Snow Leopard deletes all user data</screaming alarm voice>. It appears to be centered around the guest account, and logging into it, then back into your account deletes all your data (if it's true, Steve Jobs deserves a spanking, cause that's bad), but might also have to do with the way you upgraded to Snow Leopard, upgrade vs fresh install or something. Read the article and watch for news about this, and maybe stop using the guest account until this is all worked out. And maybe switch back to a PC for a bit too....

A sneaky inside source in the Microsoft world pointed me to uhm... well, already public information about Microsoft Security Essentials, which will be available to the public tomorrow, free of charge. MSE is Microsoft's integrated anti-malware, anti-virus solution, which I'm sure that McAfee, Symantec and friends are going to be happy with.

The original version was open to only 75,000 users, but if you knew where to look *cough*softpedia*cough* you could still find the download from the Microsoft site. Now they have announced that it is available now. No fees, no registration, no renewals, no nothing. OMFG, have they done this right? One might argue they should have done it sooner, shouldn't have done it at all, should just fixtheirdamnOSdammit, and the like, but a couple of people that I respect greatly in the security space (including Steve Gibson of the Security Now! podcast have given it a thumbs up (and if you know how paranoid Steve Gibson is, who just recently upgraded from Windows 2000 to XP... though that might take away some credibility :) ) that's quite the endorsement).

I've got this installed on my new Windows 7 install instead of AVG for the first time in years, and so far I can say it hasn't gotten in the way, has warned me of a couple of infected keyge... uhmm... files, and hasn't appeared to suck up too many system resources. I'm giving it a cautious "works for me" so far.

Anyway, Microsoft Security Essentials is out, free, and available for download now. Guess the next step is to wait for the reviews to come out and see what the other experts think of it.

Why you need balls of steel to operate a Tor exit node details some of the things that might happen if you run a Tor exit node. Now personally I'm glad that Tor exists and think that it is an essential part of society/internet/etc, even though some of it's uses are completely unsavory. Still, after reading this I have to applaud the people who do take on the responsibility.

Looks like you can send malformed SMB headers at a fully patched Vista/Windows 7 server and "poof", BSOD. I haven't tested this of course, but something to be aware of, I'm sure a patch for this will be coming out RSN.

The saving grace is that SMB2 is probably not going to be a) enabled on a server connected to the net or b) allowed into a corporate LAN from the outside. Still a danger though...

Torrent Freak points out that the copy of The Pirate Bay that was posted has been brought to life, and is up and running over at btarena.org. Or at least I think it is. Hard to tell. Anyway, the 21G of torrents are up and going and alive and well out in the wild.

Really interesting article over on Slashdot on SEncryption? What Encryption? and discussing how having an encryption program that you can be forced to give up the keys to (or arrested for refusing to) automatically puts you under suspicion, because if you do have some sort of program like TrueCrypt then you must have something to hide. The author goes through the pros and cons of a few different ways, and proposes some interesting ideas of ways for plausibly deniable encryption to become a little bit more mainstream and "normal", and therefor not as much of a red flag that you have evil anti-government subversive videos hidden on your hard drive.

Quick note that Mozilla has released Firefox 3.5.2, so if you don't see a "firefox has updated, restart now?" when you get into the office this morning, go to help -> check for updates to get yourself up to date and protected against a couple of security vulnerabilities.

Very interesting story about the raid and takedown of UWWWB by the FBI (I had never heard of them before this) from the point of view of the owner. An excerpt:

Here's what happened: March 12th, 2009, at about 5:AM in the morning, my home alarm system went off. I get up to see what’s going on, on maybe 3 hours of sleep, and my wife points out there are two people with flash lights in my back yard. Now, this may not be unusual for everyone, but I lived in a fairly nice home in Southlake Texas, the United States highest per-capita income city for 2008. A very nice community, virtually no crime, and excellent schools. That is to say, I did not live in a shack in the hood, this is nice suburbs, and not where the FBI usually does raids.

Reading the full story it is an interesting tale from a point of view that you don't normally hear, and basically amounts to a huge headache (to say the least) based on the ability for someone to cry wolf and bring the full might of the US government down on someone without that much investigation (at least in this case).

Saw via Slashdot that Microsoft Update Quietly Installs Firefox Extension. Technically I'm sure it wasn't silent, and that somewhere buried in the small print it said it was going to do this, but still, that's no excuse. AVG does the same thing to show "safe links" in your google results, and I have the same opinion. Don't F-n do it. Or if you do, have it on a separate page of the install wizard, defaulting to no showing clearly what you're doing. Like Sun does for the google toolbar (or is it yahoo now?) when they do a java update. Well, without the default to No that is.

So if you're website is down (like our companies is) or you're wondering why half the internet is dark, this may be the reason :) Some people are reporting it's back, but with sporadic response from their DNS servers.

We're into the Pirate Bay Trial Day 8 and things are progressing, but not hugely so. Some choice pickings from the entry on torrentfreak:

Kennedy said he qualified as a lawyer since the 70’s but hasn’t practiced recently. He was asked if he understood BitTorrent. Kennedy said he did, but in “very vague terms.” When the defense lawyers asked more detailed questions, about uTorrent for instance, Kennedy said he’d heard of it but had no idea of the details. It was very clear he knew nothing about any remotely technical issues.

If you want to see the real nightmare for the prossecution, check out what happened on day 7:

When asked if he had any network equipment logging exactly what was going on ‘behind the scenes’ of any of his sample downloads, he replied that he didn’t. When asked if he verified in any way during the download process that he had any contact with The Pirate Bay’s tracker, again the answer was negative.
[...]
Then, Nilsson came out to say that he was sure that a majority of the content on The Pirate Bay was copyrighted. However, he had no evidence that supports this claim. The defense lawyers pressed him on this and he had to cave in, “I have no documentation as to the claim that most material is copyrighted. It is just an opinion,” Nilsson said.

I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

My thoughts on this are twofold if I were to do this (and he has some good arguments on it): 1 - I'd want a 'no wireless' button so that anyone using my wireless is cut off when I'm playing games... nothing sucks like having a high ping for no reason all of a sudden and 2 - I'd probably want to DMZ the wireless so it is separated from the rest of my internal network. Having open wireless is very nice.... it annoys me if I'm wandering into some random building in downtown and want to check my email from my iPod and all the networks are encrypted and not using 'admin and password'. Of course, out in the boonies where I live I doubt there'd be a whole lot of "walk in" traffic as it were :)

# If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.

I'd never advocate piracy or copyright infringement, but if you are one of those evil pirates, an interesting read which will make you shutdown your torrent client until you install a blocklist of some sort. The only ones I really know of are:

Chris Pirillo pointed out some software from BananaSecurity which uses a webcam to recognize your face, lock your computer when you're not there, and unlock it only when it recognizes your face again. Obviously there are some questions about this, like what if I'm wearing a hat, what if it's darker/lighter, how secure is the lock it puts on your computer, and what if I want to use the webcam? Course, it still interest me greatly as the laptop that work got for me has a built in webcam on it...

If you're one of the fine folks who downloaded the Safari public beta be careful, there is a 0 day exploit out already. Don't think this is in the wild, but definitely potentially dangerous due to bad handling of URI protocols. Hmm... page seems to be dead....

Now this is supercool! Via slashdot (discussion) comes a Windows firewall squeezes on a USB key. The "windows" part of is is a bit of a misnomer though, it's actually a firewall running linux as the core and a bunch of security applications on top of it, but currently it only works when plugged into a Windows host.

It sounds like the system grabs network traffic as it comes into the windows host, does the happy-happy firewalling stuff, then passes things back to the host. Linux and Mac drivers are planned.

Check the screenshots midway through the article too, very sexy graphs!

Hmm.... firewall on a small host, I wonder where I've heard of those before? :) If anyone remembers the cool project the dot-com I was part of that created the firecard, we did something similar, or at least, kinda similar. At the time we used RJ45 jacks (like Yoggie Systems' previous version) and we were on a PCI card instead of a USB key. OK, maybe not that similar then....

Slashdot announced that TrueCrypt 4.3 was Released. Fun new features are 32/64 bit Vista support, ability to load it onto mp3 players, and auto-dismount in addition to the fun stuff like hidden volumes, plausible deniability, "traveler mode", and other fun stuff. Check it out at http://www.truecrypt.org/

Lifehacker takes on a comparison of two of the major disk encryption systems available and puts them in a bloodthirsty cage match. OK, maybe not quite.... however, the OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault is a good primer as to what's available and the up and downsides. Read the article to see who wins!

I'm disappointed that Linux doesn't have an offering here. Actually, I'm disappointed Linux doesn't have a user friendly offering here. Linux has had disk encryption for a while now, it just hasn't had the friendly frontend that OS/X and Vista have put on it, and instead make the user resort to typing in cryptic commands like dd and cryptsetup and dealing with terms like 'loop-AES' and 'LUKS'.

Speaking of Vista, here's a link to a OS Security Features Chart over on Matasano Chargen's blog. Interesting, though I wonder how targeted this was at Vista. I'd like to see something similar for Linux (ie: grsec, selinux, and friends).

Found this one on LifeHacker.... a nifty portable app for your ipod (works fine on a USB key though) called DemocraKey.

Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and the DemocraKey 2.0 Lite let’s you have it on your iPod.

You can use it either to access the freedoms and justices you deserve from inside a repressive state, or surf porn from school, whichever one floats your boat :)

Darren pointed me to an article on Lifehacker on setting up Hamachi, what looks like a nice and quick VPN tool. Not exactly the industry strength stuff you would want to connect your satallite offices (for that you'd probably go openvpn or freeswan), but for getting into friends machines for maintenance, or a quick an dirty connection to surf pr0n from home from work it sounds like the way to go. Win/Linux/Mac as well which is nice.

If you've been hit by the ugly virus that encrypts all the files on your hard drives and then extorts you for cash, you're lucky. The article states that the virus has been cracked and that the password you need is: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw".

Calling all Windows Security Experts... Firewall Dashboard 1.1 Now Available

I know I rag on Microsoft, and Windows security, but at least there are those out there doing something about it. My ex-boss, ex-coworker and good friend Dana has just released version 1.1 of Firewall Dashboard. New features include:

Import/export of config for deployment to multiple machines

A new plugin to aid in remote monitoring for managed service providers

New reports and the usual array of bugfixes and tweaks

For those of you who don't know what Firewall Dashboard is, it's a firewall log report creation tool for Windows firewalls. Probably pictures speak louder than words, so just hit the screenshots.

Denyhosts Tutorial
HowtoForge has a nice tutorial on Preventing SSH Dictionary Attacks With DenyHosts. This is the program I installed last week on UFies and it seems to be working just fine. So far I have 37 IPs blocked, and my SSH attempts are down to under 100 to over 20,000 per day :)

Worried About New Windows Activation Checks? Don't Be.
Recently MS has said they are going to start doing checking for piracy when doing a windows update. Worried? Don't be, the system was cracked in 24 hours using a simple line of javascript. Maybe all that integration of IE is a good thing!

Movable Type Exploit Fixed
A Movable Type Vulnerability has been patched with the lastest version. Everyone who has a blog on ufies please make sure you upgrade ASAP (there is also an upgrade in the form of a plugin for ease of update.

Adaptive Firewalls with Snort and SnortSam
I was browsing around some stuff for setting up Snort on my network and came across a link to SnortSam, which lets you modify your firewall based on Snort IDS rules. I'm thinking this will go a long ways towards setting up a way to kill off some of the comment spammers. IE: set up a rule that will detect if someone tries to hit mt-comments from the same IP more than say, once per second and then block them for an hour (or send a pingflood back to them, with a big "screw you spamming asshole" written on the nose, whichever you prefer :)

New MovableType Release Addresses Spam Load Issues
The new Movable Type 3.14 apparently addresses the load issues that have come up from comment spammers attacking system and driving up the load on the server.

I've blogged about the problems I've had with this. So subtle hint to all of you guys with MT3 on the UFies.org server, please upgrade :)

More Linux vs Windows Security
The Reg has a long Windows vs Linux report. Linked from /. (discussion), and it seems to take into account things like damage potential, ease of exploitation, size of deployment, busting some myths, etc. I haven't had a chance to read the entire thing yet, but while the Reg isn't the biggest MS fan in the world, I trust their reporting a bit more than Microsoft's "facts" somehow. But hey, I'm biased as well.

I guess the problem is that no matter who does the reporting and comparing they'll have some link to something, or someone will dig up that sometime around 1992 someone in the organization mentioned that "this microsoft thing is kinda cool" and therefor is biased, or they have a linux server so they can't possibly report fairly.

It's also the right tool as Dana is constantly saying, but there are definately crossovers in between linux and windows as far as the tools that are available for both. Anyway, recommended reading of course, and the /. discussion I'm sure will be full of intelligent and calm discussion :)

BSD IDS
There is a new Intrusion Detection System for FreeBSD. The thesis is available. From the email to the IDS list:

The IDS system is designed as a kernel module for FreeBSD 5.2. It is
inspired by the SpamAssassin program, which detects spam by applying a set
of tests to every email message and counting a sum of point score generated
by each test. My IDS system applies a set of tests to every running process
in the OS and counts its score generated by the tests. Therefore, the
purpose of the IDS is not to monitor the network traffic, but rather to
monitor the process activity.

MS Users Start Your Upgrades!
As seen on slashdot, it looks like a whack of new updates for windows have been posted to the Microsoft technet update page. Included in the goodness are Shell, NNTP, SMTP, Zip, and a few others. Doesn't look like it's on windows update yet, but you can download the hotfixes from the linked page. Not all these affect all versions, and in a couple of cases it looks like you're safe if you are running xpsp2, but not all.

Microsoft only Half Patches (again)
Shocking as it may seem, apparently the patch release by Microsoft a few days ago to patch a serious hold in Internet Explorer only addressed the immediate problem, and left users open to another closely related security hold. Full story here. Isn't this the same thing that happened with WinNuke back in the day?

Retractable EmailBig String is an email service which claims that it lets you recall, erase, and time out email. I'm interested in how they claim to do this (or how they plan to reach into my /home/alan/Mail/inbox spool file and delete chunks of data. Sadly the "Free trial" requires a credit card number. Anyone have any experience with this, or know someone with this service?

Ah, they link to a server that stops serving the images/files after you decide. Stupid and lame, figured so.

Gallery Users Time to UpgradeGallery users will want to upgrade to the latest version ASAP. Apparently there's a new exploit that's out or almost out that I was alerted to, and people outta get their systems up to date.

Another Comment Spam Killing Solution
While MT-Bayesianisn't perfect, it could have some advantages over mt-blacklist. For those of us who were caught over the weekend by the comment spam zombies and had to (in my case) clean 1200+ comments out, this might be something worth looking at. If you are running mt-blacklist don't forget to upgrade to the latest version and to import the master blacklist file.

Google takes a stand on spyware....Google's software principles basically say "don't screw over the customer". This isn't going to stop spyware bastards from doing their dirty work, but it is nice to see that someone is thinking of trying to start a trend towards making your computing experience safe.

These guidelines are, by necessity, broad. Software creation and distribution are complex and the technology is continuously evolving. As a result, some useful applications may not comply entirely with these principles and some deceptive practices may not be addressed here. This document is only a start, and focuses on the areas of Internet software and advertising. These guidelines need to be continually updated to keep pace with ever-changing technology.

Some OS Myths Debunked
There's a good series of articles over at OSNews.com on Common OS Myths Debunked. Not all Linux friendly and not all Windows friendly. I don't agree with all of the writers opinions, but so far it seems to be pretty brually honest. For example, when talking about the "myth" that windows is bad for the server the author says (after agreeing that the myth isn't a myth at all):

s more effectively, than on a Linux system where the web server is running "far removed from the OS." I am no security expert but if you tried to sell your web server to the Linux community on the basis that it "works in kernel space instead of user space!" you would be laughed out of the room, and possibly the state.

It's a good read, both to take stock of your own misconceptions as well as to get some ammo when talking to people who insist that "X is better than Y for Z".

Statement of GNU/Linux Security
Debian, RedHat, Mandrake, SUSE and Mandrake have released a Joint Statement about GNU/Linux Security in response to a report on Linux security. Basically it points to flaws in the original reports methodology (considering every vulnerabilty as having the same danger), and says that closer investigation of the reports conclusions should conducted.

This has always been one of the problems with examining security between Windows and Linux (or any different OS)... high profile or low profile, root exploits, local, remote, etc all come into play, and you rarely see a comparision where all these factors are taken into account.

My way of looking at it is how comfortable would I be putting a box of either type connected directly to the internet without a (separate) firewall? Hint. Not windows :)

SCO and Darl - What Drugs are They On?
In an open letter, Darl McBride determines that the GPL and open source software is, among other things, a threat to US security. Evil doubleplus bad people in other countries can obtain "their" intellectual property for free over the internet (even from countries they as good wholesome apple pie eating Americans would never sell to) and use the technology to build a virtual supercomputer in short order. This supercomputer would no doubt be used to create more weapons of mass destruction, without giving SCO their just desserts, and kill puppies.

I'm convinced that you have to be on some really good drugs to reach these conclusions.

Postfix MyDoom Fixes
There is someone's body_checks file available for postfix users to help squash the MyDoom virus (thanks again microsoft!). You can put this into your postfix setup by adding the following line to main.cf:

body_checks = regexp:/etc/postfix/body_checks

with the body_checks file being something like what is posted in the link. In theory it should work :)

Anyone know of a good integrated virus checker for postfix like qmail has?

Spamassassin Rules of the Day
Lately I've been seeing Spamassassin's accuracy go down and down and down. A message on the gentoo-user list pointed me to the Spamassassin Wiki and in particular the Rules Du Jour page. Basically new rules to help deal with the constantly changing battlefield of fighting spammers that you can download whenever suits you (or via a handy cron entry) and in theory SA's accuracy will go up.

Buy Security From Microsoft
Dana's security blog has a pointer to an article which notes that Readers Wouldn't Buy Security Products From Microsoft. I'm in total agreement. Lots of interesting comments on this one, with many good points. As I noted elsewhere, Microsoft can't write a word processor that isn't vulnerable to attacks and viruses, why should people trust them to write security software. They write user friendly OSs and decent applications, but much as they'd love to sell you otherwise (and I'm sure they will be telling people how wonderful a security company they are as much as they are starting to hype Longhorn), they should stay out of the security market.

Sadly, they probably won't, and will go in with all their resources, marketting, bloggers and programmers and probably squeeze some of the security vendors out of the market (ie: zonealarm) as they try to sell us on the "no, you can trust us this time" marketting hype that's no doubt coming.

As Dana noted they have a chance with Longhorn to prove they can create a secure OS. It'll be here in 2006 (or later), so you can see that as either a huge opportunity for security products and/or alternative OSs to jump in, or sad because the people that are being hit by viruses and worms aren't the sort of people that do anything to their OS from the time they buy their new computer (ie: the stereotypical mom, dad, granny and grampa).

Bug In MS Exchange 2003
Anyone running an Exchange server might want to take note of it's latest flaw. "[...] a person can gain unauthorized access to another users account."

What makes this even funnier to me is that not that long ago I read someone comment on a blog somewhere (might have been on scoble) saying that exchange was "invaluable" to them. People run exchange on purpose? Why? Anyway, I resisted responding at the time. Guess this is a good response though :)

3D NMap
Very cool.... Scanmap3D is a java program that displays nmap information in a 3d format. The screenshots look pretty nifty. Also check out nmap3d which is I assume, a similar program (though no screenshots so I can't assert it's niftyness).

Analysis of a Compromised Honeypot
Fascinating article entitled Analysis of a Compromised Honeypot, which gives an interesting look into how script kiddies and crackers think and operate. Via the honeypots mailing list.

Mitnik's Missing ChapterMitnick's 'Lost Chapter' Found is a wired story about how Kevin Mitnik's book, The Art of Deception, had it's first chapter (detailing his early life and some issues he has with Markoff's famous NYT front page story) pulled at the last minute. Seems that the chapter made it to the internet, and it is quite a good read. I wouldn't mind picking the book up either.

E-Card Trojans
This securityfocus story shows one more reason why you should use a browser that is non-activeX. There's a nice (and authentic-looking) trojan that poses as an e-card greeting requiring you to install a greeting card plugin that feeds porn ads to you.

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.